White Hat Bug Bounty Program

Earn money and recognition for your responsible disclosures

LaunchKey fully supports and values the security research community. As such, we encourage security researchers to responsibly disclose security vulnerabilities after reviewing our responsible disclosure policy and bug bounty guidelines found on this page.

Responsible disclosure policy

Responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users and developers. Responsible disclosure includes:

Provide us with a reasonable amount of time to fix the security vulnerability before publishing your find

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research and testing

Only target accounts you have created for the purpose of your security research, and never attempt to access or disrupt another user's service

We will not bring legal action against any researcher who discloses security vulnerabilities using the responsible disclosure guidelines above.

Bug bounty

To show our appreciation and respect to the security researchers whom volunteer their time to improving our service, we offer a monetary bounty for certain security bugs.

Eligibility

In addition to adhering to our Responsible Disclosure Policy above, to qualify for a bounty reward you must be the first individual to responsibly disclose the bug, and report a security vulnerability that could compromise the integrity of LaunchKey services or user data, circumvent privacy protections, or enable access to systems within LaunchKey. Our bug bounty also covers SDKs, libraries and plugins developed and supported by LaunchKey, but excludes third party developed libraries, plugins, etc.

Qualifying Bugs:

Cross-Site Scripting (XSS)

Cross-Site Request Forgery (CSRF)

Authentication Flaws (e.g. LaunchKey OAuth bugs)

Remote Code Execution

Privilege Escalation

Code Injection

Non-qualifying Bugs

Typically, the following types of bugs are not eligible for a bounty:

Security vulnerabilities on sites hosted by third parties (e.g. launchkey.desk.com) unless they lead to a vulnerability on a LaunchKey-hosted site

Security vulnerabilities in third party applications which use the LaunchKey API

Security vulnerabilities in third party plugins, libraries or tools that use the LaunchKey API

Denial of service (DoS)

Spamming

Social Engineering

Bugs affecting outdated or unpatched browsers

Biometric forgeries

Reward

The minimum bounty for a qualifying security vulnerability is $200 USD

There is no maximum bounty; the value of the bounty is based on a combination of the severity of the bug and creativity of the exploit

How to report a bug

If you believe you've discovered a security vulnerability in LaunchKey, you may responsibly disclose your find by sending an email to security@launchkey.com using our optional PGP key below. Please include the following details with your disclosure:

Description of vulnerability and potential impact

Detailed description of steps taken to reproduce the bug or proof of concept

Name and/or link for (optional) attribution on this page

PGP Key

If you'd like to encrypt your communications with LaunchKey, please use our PGP key below. All security-related emails from LaunchKey will be signed with this key.

Newsletter Signup

Newsletter Signup

LaunchKey is the first decentralized auth platform for the post-password era and the Internet of Things (IoT) that turns the mobile devices customers, end users, and employees already own into advanced smart keys capable of strong multi-factor authentication, real-time authorization, access control, and identity validation -- all through one consolidated platform that can be used online or offline.